Configuring HTTPS settings
The HTTPS Configuration page enables you to configure the HTTPS settings for the appliance. This includes:
- Generating server keys and certificate signing requests
- Uploading and signing server certificates
- Upload a CA certificate bundle to the appliance, or download them from the appliance
- Upload a Certificate Revocation List to revoke access to the appliance
- Enable and disable HTTP or HTTPS web access to the appliance
To access the HTTPS Configuration page, select HTTPS from the Security section of the Administration tab.
If BMC Discovery is integrated with a Web Authentication (Single Sign On) solution, you need to replace a default Certificate Authority (CA) bundle on BMC Discovery.
The following topics are provided in this section:
To generate a server key
- On the HTTPS Configuration page, click Generate New Key. The Generate Key dialog displays.
Enter relevant information in the editable fields:
Enter the hostname of the appliance if it is standalone. If the appliance is a cluster member, enter the cluster alias, or if an alias has not been set then enter the cluster name.
The two character country code for the country in which the appliance is located, for example GB.
State or Province
The state or province in which the appliance is located, for example Yorkshire.
The locality in which the appliance is located, for example York.
The company name, for example, BMC Software.
The department using the appliance. This field is optional.
The email contact for users of this appliance. This field is optional.
RSA key length
The RSA key length. Select one of the following from the drop down list: 1024, 2048, or 4096 bits.
The values used in the Generate Key dialog must match those used by the certificate authority.
When you have entered the required information, click Apply to generate the key.
The dialog is dismissed and the new server key is saved as
$TIDEWAY/etc/https/server.keyonto the appliance's file system. A certificate signing request is also generated; it is called
server.csrand is saved in the same location.
When you have a key and a signing request, it must be signed before it can be used. You can do this using one of the following methods:
- Use a certificate authority—Continue with this procedure.
- Sign the certificate yourself—See Self signing a server certificate.
- To download the certificate signing request, click Download CSR and use the download dialog to choose the location on your local filesystem in which to save the file.
- Send the certificate signing request file to your certificate signing authority for signing.
When the certificate signing authority has approved the request, they will generate the corresponding certificate and return it as a .crt file.
Uploading a server certificate
- When your certificate signing authority has approved the request and returned a certificate, save the certificate file on your local filesystem.
- On the HTTPS Configuration page, click Upload in the Server Certificate row.
- Click Browse next to Certificate File and select the server certificate you saved in Step 1 of this procedure.
- Click Apply.
The new certificate is uploaded onto the appliance.
Self signing a server certificate
If you do not use a certificate authority but still require HTTPS access to the appliance, you can use the self-signing feature.
- Ensure that you have created a server key and certificate signing request on the appliance using the procedure described in to generate a server key.
- On the HTTPS Configuration page, click Self Sign in the Server Certificate row.
The server key that you created is signed and saved as a new certificate called server.crt
Uploading or downloading a CA certificate bundle
The CA certificate bundle that is included by default contains a number of certificates from public certificate authorities. These are usually known as Trusted Root Certificates or Trusted Intermediate Certificates. You can continue to use these or replace them with a certificate bundle from a certificate authority used by your organization. Your system administrator should either tell you whether to use the supplied bundle, or provide you with one supported by your organization.
If you do not have a CA bundle, either the default supplied with the appliance, or one supplied by your organization, you will be unable to use HTTPS.
The default CA bundle is stored on the appliance in the following directory:
When the certificate signing authority has approved the request, they will generate the corresponding certificate bundle and return it as a
To replace the certificate bundle with one from a certificate authority used by your organization
- On the HTTPS Configuration page, click Upload in the CA Certificates row.
- Click Browse next to CA Certificate Bundle File and select the certificate bundle returned by the certificate signing authority.
- Click Apply.
The new certificate bundle is uploaded.
To download the existing CA certificate bundle
- Click Download in the CA Certificates row.
- Use the download dialog to choose the location on your local filesystem in which to save the file.
Using a Certificate Revocation List to revoke access to the appliance
You can use a Certificate Revocation List (CRL) to ensure that certificates that have been revoked by the CA can no longer be used to access the appliance. A CRL contains a list of certificates which have been revoked by the CA. You can also add compromised certificates to the CRL.
To apply a CRL
- On the HTTPS Configuration page, click Upload in the Certificate Revocation List row.
- Click Browse next to Certificate Revocation List and select the CRL to apply.
- Click Upload CRL.
The CRL is uploaded and applied.
Enabling or disabling HTTP and HTTPS access to the appliance
Use a two-stage approach to enabling redirect to HTTPS. Configure the HTTPS and test that it is configured correctly and permits access to authenticated users. Only then should you enable redirect to HTTPS.
If HTTPS is not configured correctly, and you enable redirect to HTTPS, you could be locked out of the appliance.
By default, users can access the BMC Discovery over HTTP. You can enable HTTPS connections on this page and specify that attempts to connect over HTTP should be redirected to HTTPS.
By default, API access is not permitted over HTTP. Using the API via HTTP is not recommended and should only be used for testing purposes
By default, HTTP access is enabled and HTTPS access is disabled.
To enable or disable HTTP and HTTPS access on the appliance
On the HTTPS Configuration page, click Configure.
- Enable or disable HTTPS access from the HTTPS list.
- Enable HTTP access or to redirect HTTP access attempts to HTTPS from the HTTP list.
- To enable API access over HTTP select Allow API Access via HTTP.
This screen illustrates an example testing configuration with HTTPS disabled, HTTP enabled, and API access permitted over HTTP.
This screen illustrates an example more suited to production, with HTTPS enabled, HTTP redirected to HTTPS, and API access not permitted over HTTP